Ok, have used the following settings to get things working. They might be of help to others.
This setup is for internal lan use only, not visible to the outside world.
LDAP Server Url: just the ip address with ldap:// as a prefix seems to work, without needing to specify the port.
Base Distinguished Name (DN): the username of an Active Directory account setup specifically for LDAP, i.e. ldap@domain.local
LDAP search path for Users & LDAP search path for Groups: I had to use the same entry for both, obviously replacing Lan Users and LAN Group with your own
OU=LAN Users,OU=LAN Group,DC=domain,DC=local
LDAP Search String: (&(objectClass=user)(sAMAccountName={0}))
LDAP Username Field: sAMAccountname
LDAP First Name Field: givenname
All other settings as standard.
I have not yet tried to create new accounts, instead I imported a user list. I have also no yet tried to use AD groupings to match users to roles yet.
Note that you need to specify an email address in the Active Directory entry, other wise ERPNext will warn of an error. I was able to login using the Active Directory username, and not use the email address.
Cheers,
Paul